<html>
<head><meta charset="utf-8"><title>malicious packages · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/malicious.20packages.html">malicious packages</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="194548624"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/malicious%20packages/near/194548624" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/malicious.20packages.html#194548624">(Apr 18 2020 at 14:58)</a>:</h4>
<p>interesting story here <a href="https://blog.reversinglabs.com/blog/mining-for-malicious-ruby-gems" title="https://blog.reversinglabs.com/blog/mining-for-malicious-ruby-gems">https://blog.reversinglabs.com/blog/mining-for-malicious-ruby-gems</a></p>



<a name="194549855"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/malicious%20packages/near/194549855" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/malicious.20packages.html#194549855">(Apr 18 2020 at 15:24)</a>:</h4>
<p>Curious. With how accessible large-scale <a href="http://crates.io" title="http://crates.io">crates.io</a> analysis turned out to be, it should not be hard to build similar detection ourselves.</p>



<a name="194550050"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/malicious%20packages/near/194550050" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/malicious.20packages.html#194550050">(Apr 18 2020 at 15:28)</a>:</h4>
<p>Making this particularly interesting is the frequent discrepancy between executable name and <a href="http://crates.io" title="http://crates.io">crates.io</a> name for binaries. For example, the correct way to install <code>fd</code> is <code>cargo install fd-find</code>, and for <code>rg</code> it's <code>cargo install ripgrep</code>. This is just asking for malicious squatting.</p>



<a name="194585352"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/malicious%20packages/near/194585352" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/malicious.20packages.html#194585352">(Apr 19 2020 at 08:08)</a>:</h4>
<p>also, discrepancy between the code in the referenced repository, and the actual tarball downloaded by cargo</p>



<a name="194585370"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/malicious%20packages/near/194585370" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/malicious.20packages.html#194585370">(Apr 19 2020 at 08:09)</a>:</h4>
<p>I've long wondered if there's a good way to automatically check the <a href="http://crates.io" title="http://crates.io">crates.io</a> tarball against a tag on the git side, maybe award some kind of badge on the websites when they match or so</p>



<a name="194585382"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/malicious%20packages/near/194585382" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/malicious.20packages.html#194585382">(Apr 19 2020 at 08:09)</a>:</h4>
<p>right now I wouldnt even know how to get hold of that tarball easily. when I want to check crate sources I click the "repo" link on <a href="http://crates.io" title="http://crates.io">crates.io</a> and hope they match...</p>



<a name="194585419"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/malicious%20packages/near/194585419" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/malicious.20packages.html#194585419">(Apr 19 2020 at 08:10)</a>:</h4>
<p>having a "download" link might be a start</p>



<a name="194586222"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/malicious%20packages/near/194586222" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> bjorn3 <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/malicious.20packages.html#194586222">(Apr 19 2020 at 08:35)</a>:</h4>
<p>Another interesting thing would be if the original and normalized <code>Cargo.toml</code> are equivalent.</p>



<a name="194598670"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/malicious%20packages/near/194598670" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/malicious.20packages.html#194598670">(Apr 19 2020 at 13:51)</a>:</h4>
<p>What do you mean by "normalized <code>Cargo.toml</code>" ?</p>



<a name="194598897"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/malicious%20packages/near/194598897" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> bjorn3 <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/malicious.20packages.html#194598897">(Apr 19 2020 at 13:56)</a>:</h4>
<p>In the <code>.crate</code> file, there is a file <code>Cargo.toml.orig</code>, which is the original <code>Cargo.toml</code> file, but also a <code>Cargo.toml</code> file that is derived from the original by normalizing it. It starts with:</p>
<div class="codehilite"><pre><span></span># THIS FILE IS AUTOMATICALLY GENERATED BY CARGO
#
# When uploading crates to the registry Cargo will automatically
# &quot;normalize&quot; Cargo.toml files for maximal compatibility
# with all versions of Cargo and also rewrite `path` dependencies
# to registry (e.g., crates.io) dependencies
#
# If you believe there&#39;s an error in this file please file an
# issue against the rust-lang/cargo repository. If you&#39;re
# editing this file be aware that the upstream Cargo.toml
# will likely look very different (and much more reasonable)
</pre></div>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>